suimeng
/
honojs-middleware
mirror of https://github.com/honojs/middleware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(arktype-validator): Don't return restricted fields in error responses (#1137) 

* fix(arktype-validator): add failing test for cookie header

* fix(arktype-validator): add restricted fields that are not returned in the "data" field of the error

* chore: add changeset
pull/1145/head
Andrei 2025-04-28 08:17:34 +02:00 committed by GitHub
parent 928f8cd5b8
commit 01cd896e9b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.changeset/silent-worms-mate.md 100644
View File

@ -0,0 +1,5 @@
---
'@hono/arktype-validator': patch
---
Don't return restricted data fields on error responses

27
packages/arktype-validator/src/index.test.ts
View File

@ -35,6 +35,17 @@ describe('Basic', () => {
} }
) )
app.get(
'/headers',
arktypeValidator(
'header',
type({
'User-Agent': 'string',
})
),
(c) => c.json({ success: true, userAgent: c.header('User-Agent') })
)
type Actual = ExtractSchema<typeof route> type Actual = ExtractSchema<typeof route>
type Expected = { type Expected = {
'/author': { '/author': {
@ -98,6 +109,22 @@ describe('Basic', () => {
const data = (await res.json()) as { success: boolean } const data = (await res.json()) as { success: boolean }
expect(data['success']).toBe(false) expect(data['success']).toBe(false)
}) })
it("doesn't return cookies after headers validation", async () => {
const req = new Request('http://localhost/headers', {
headers: {
'User-Agent': 'invalid',
Cookie: 'SECRET=123',
},
})
const res = await app.request(req)
expect(res).not.toBeNull()
expect(res.status).toBe(400)
const data = (await res.json()) as { succcess: false; errors: type.errors }
expect(data.errors).toHaveLength(1)
expect(data.errors[0].data).not.toHaveProperty('cookie')
})
}) })
describe('With Hook', () => { describe('With Hook', () => {

30
packages/arktype-validator/src/index.ts
View File

@ -10,6 +10,10 @@ export type Hook<T, E extends Env, P extends string, O = {}> = (
type HasUndefined<T> = undefined extends T ? true : false type HasUndefined<T> = undefined extends T ? true : false
const RESTRICTED_DATA_FIELDS = {
header: ['cookie'],
}
export const arktypeValidator = < export const arktypeValidator = <
T extends Type, T extends Type,
Target extends keyof ValidationTargets, Target extends keyof ValidationTargets,
@ -54,7 +58,31 @@ export const arktypeValidator = <
return c.json( return c.json(
{ {
success: false, success: false,
errors: out, errors:
target in RESTRICTED_DATA_FIELDS
? out.map((error) => {
const restrictedFields =
RESTRICTED_DATA_FIELDS[target as keyof typeof RESTRICTED_DATA_FIELDS] || []
if (
error &&
typeof error === 'object' &&
'data' in error &&
typeof error.data === 'object' &&
error.data !== null &&
!Array.isArray(error.data)
) {
const dataCopy = { ...(error.data as Record<string, unknown>) }
for (const field of restrictedFields) {
delete dataCopy[field]
}
error.data = dataCopy
}
return error
})
: out,
}, },
400 400
) )